> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Bind the certificate in IIS

> Bind the CryptoHub-backed certificate to the site's HTTPS binding in IIS Manager.

Bind the installed certificate to the target site so IIS serves HTTPS with the HSM-backed key.

<Steps>
  <Step>
    Select **Start** > **Windows Administrative Tools** > **Internet Information Services (IIS)
    Manager**.
  </Step>

  <Step>
    In the **Connections** pane, expand the server node, expand **Sites**, and select the target
    site. In the **Actions** pane, select **Bindings...**.
  </Step>

  <Step>
    Select **\[ Add... ]** (or select an existing `https` binding and **\[ Edit... ]**) and
    configure:

    * **Type**: `https`
    * **Port**: `443`
    * **Host name**: the site FQDN (matching a SAN entry in the certificate)
    * **SSL certificate**: select the certificate issued in the previous section
  </Step>

  <Step>
    Select **\[ OK ]**, then **\[ Close ]**.
  </Step>

  <Step>
    Restart IIS so the binding takes effect:

    ```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
    iisreset
    ```
  </Step>
</Steps>

## Bind from the command line (alternative)

You can also create the HTTPS binding from the command line with `netsh` instead of IIS Manager. This is useful for scripted or repeatable deployments.

<Steps>
  <Step>
    Add the site binding in IIS, then map the certificate to the port with `netsh`. Use the
    certificate's thumbprint (the `certhash`) and the site's application ID (the `appid`, a GUID):

    ```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
    netsh http add sslcert ipport=0.0.0.0:443 certhash=<CertificateThumbprint> appid={<SiteAppIdGuid>} certstorename=MY
    ```

    * `<CertificateThumbprint>` is the certificate's SHA-1 thumbprint with no spaces. Get it with
      `Get-ChildItem Cert:\LocalMachine\My | Select-Object Subject, Thumbprint`.
    * `<SiteAppIdGuid>` is any GUID that identifies the binding owner. For IIS, use the site's
      application pool or a generated GUID (`[guid]::NewGuid()`); record it so you can remove the
      binding later.
    * `certstorename=MY` points `netsh` at the machine **Personal** store where you imported the
      certificate.
  </Step>

  <Step>
    Confirm the binding:

    ```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
    netsh http show sslcert ipport=0.0.0.0:443
    ```

    <Check>
      The output lists your certificate hash and application ID for `0.0.0.0:443`. Requests to the
      site over HTTPS are now served with the CryptoHub-backed key.
    </Check>
  </Step>
</Steps>

<Note>
  The `netsh` and IIS Manager paths are alternatives; use one or the other for a given binding. IIS
  Manager is the simpler choice for a single site, and `netsh` suits scripted deployments.
</Note>
